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AMENDMENTS TO THE CLAIMS 

Please amend claims 26 and 50 as indicated below. This listing of claims will replace all 
prior versions and listings of claims in the application. 

LISTING OF CLAIMS : 

1.-25. (Canceled) 

26. (Currently Amended) An intrusion detection system, implomontod uoing ono or more 
comput e rs, for detecting unauthorised use of a network, comprising: 
at least one computer: and 

a non-transitory computer readable medium encoded with a computer program product 
loadable into a memory of the at least one computer, the computer program product including: 

instructions for a sniffe r, implemented U3ing tho ono or mor e computers, for capturing 
data being transmitted on said network[[;]] J 

instructions for a pattern matching engine , implomont e d using tho ono or mor e 
comput e rs, for receiving data captured by said sniffer and comparing the captured data with 
attack signatures for generating an event when a match between the captured data and at least 
one attack signature is found[[;]] a and 

instructions for a response analysis engine , implem e nt e d using th e ono or mor e 
computers and triggered by said event, for comparing with response signatures response data 
being transmitted on said network as a response to said data matched with said at least one attack 
signature and for correlating results of said comparisons with attack and response signatures for 
generating an alarm. 
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27. (Previously Presented) The system of claim 26, wherein said response data is captured 
by said sniffer by performing an analysis of source IP address in data packets transmitted on said 
network. 

28. (Previously Presented) The system of claim 26, wherein said response data is captured 
by said sniffer by performing an analysis of both source and destination IP addresses in data 
packets transmitted on said network. 

29. (Previously Presented) The system of claim 26, wherein said response data is captured 
by said sniffer by analysing transport level information in data packets transmitted on said 
network. 

30. (Previously Presented) The system of claim 26, wherein said response analysis engine 
generates the alarm when said response data indicates that a new network connection has been 
established. 

3 1 . (Previously Presented) The system of claim 26, wherein said response signatures are 
arranged in two categories, response signatures identifying an illicit traffic, and response 
signatures identifying legitimate traffic. 

32. (Previously Presented) The system of claim 3 1 , wherein said response analysis engine 
generates the alarm when a match between the response data and a response signature identifying 
illicit traffic is found. 

3 3 . (Previously Presented) The system of claim 3 1 , wherein said response analysis engine 

comprises a counter which is incremented when a match between the response data and a 

response signature identifying legitimate traffic is found. 
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34. (Previously Presented) The system of claim 33, wherein, when said counter reaches a 
predetermined value, said response analysis engine terminates without generating any alarm. 

35. (Previously Presented) The system of claim 26, wherein said response analysis engine 
comprises a time-out system triggered by said event for starting a probing task. 

36. (Previously Presented) The system of claim 35, wherein said probing task verifies if any 
data has been detected on said network as the response to said data matched with said at least one 
attack signature and, if such condition is verified: 

generates the alarm in case only response signatures indicating legitimate traffic have 
been used by said response analysis engine; or 

ends the probing task in case only response signatures indicating illicit traffic or both 
response signatures indicating legitimate traffic and illicit traffic have been used by said response 
analysis engine. 

37. (Previously Presented) The system of claim 36, wherein, if such condition is not verified, 
said probing task attempts to perform a connection to a suspected attacked computer, for 
generating the alarm if such attempt is successful, or for ending the probing task if such attempt 
is unsuccessful. 

38. (Previously Presented) A method performed using one or more computers for detecting 
unauthorised use of a network, comprising: 

capturing data, using the one or more computers, being transmitted on said network; 
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comparing the captured data with attack signatures for generating an event, using the one 
or more computers, when a match between the captured data and at least one attack signature is 
found; and 

when triggered by said event: 

comparing with response signatures, using the one or more computers, response 
data being transmitted on said network as a response to said data matched with said at 
least one attack signature; and 

correlating results of said comparisons, using the one or more computers, with 
attack and response signatures for generating an alarm. 

39. (Previously Presented) The method of claim 38, wherein said response data is captured 
by performing an analysis of source IP address in data packets transmitted on said network. 

40. (Previously Presented) The method of claim 38, wherein said response data is captured 
by performing an analysis of both source and destination IP addresses in data packets transmitted 
on said network. 

41 . (Previously Presented) The method of claim 38, wherein said response data is captured 
by analysing transport level information in data packets transmitted on said network. 

42. (Previously Presented) The method of claim 38, comprising the step of generating the 
alarm when said response data indicates that a new network connection has been established. 

43. (Previously Presented) The method of claim 38, wherein said response signatures are 
arranged in two categories, response signatures identifying illicit traffic, and response signatures 
identifying legitimate traffic. 
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44. (Previously Presented) The method of claim 43, comprising the step of generating the 
alarm when a match between the response data and a response signature identifying illicit traffic 
is found. 

45. (Previously Presented) The method of claim 43, comprising the step of incrementing a 
counter when a match between the response data and a response signature identifying legitimate 
traffic is found. 

46. (Previously Presented) The method of claim 45, wherein said step of comparing data 
with response signatures is terminated when said counter reaches a predetermined value. 

47. (Previously Presented) The method of claim 38, comprising the step of providing a time- 
out system, triggered by said event, for starting a probing task. 

48. (Previously Presented) The method of claim 47, comprising the step of verifying if any 
data has been detected on said network as a response to said data matched with said at least one 
attack signature, and, if such condition is verified: 

generating the alarm in case only response signatures indicating legitimate traffic have 
been used; or 

ending said probing task in case only response signatures indicating illicit traffic or both 
response signatures indicating legitimate traffic and illicit traffic have been used. 

49. (Previously Presented) The method of claim 48, wherein, if such condition is not 
verified, said probing task attempts to perform a connection to a suspected attacked computer, 
for generating the alarm if such attempt is successful, or for ending the probing task if such 
attempt is unsuccessful. 
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50. (Currently Amended) A non-transitory computer readable medium encoded with a 
computer program product loadable into a memory of at least one computer, the computer 
program product including software code portions for performing the method of any one of 
claims 38 to 49. 
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